Data Link Layer Switch with Protection Against Internet Protocol Spoofing Attacks

1. A network switch comprising: a plurality of ports configured to receive a plurality of packets transmitted from a network to the network switch; a memory configured to store patterns of the plurality of packets through the network switch; a packet processor comprising a classifier, wherein the classifier is configured to select a subset of the plurality of packets according to (i) contents of the plurality of packets, and (ii) sampling criteria, and wherein the selected subset of the plurality of packets includes selected ones of the plurality of packets; and a first processor separate from the packet processor, wherein the first processor is configured to (i) determine, based on the subset of the plurality of packets, whether the plurality of packets are associated with an attack on the network switch, and (ii) in response to determining the subset of the plurality of packets are not associated with an attack, update the patterns of the plurality of packets through the network switch based on characteristics of the subset of the plurality of packets, wherein the classifier is configured to, prior to the first processor determining whether the plurality of packets are associated with an attack, copy the subset of the plurality of packets to the first processor while maintaining the plurality of packets in the packet processor.

2. The network switch of claim 1 , wherein: the memory is configured to store a first table; and the packet processor is configured to transfer the plurality of packets between the plurality of ports according to contents of the first table.

3. The network switch of claim 2 , wherein: the first table includes packet patterns comprising (i) a time of use pattern, or (ii) an amount of use pattern; the time of use pattern includes dates and times packets are transmitted between (i) the network switch and (ii) a network device transmitting the plurality of packets; and the amount of use pattern includes (i) periods when packets are transmitted between the network switch and the network device, and (ii) an amount of data transmitted between the network switch and the network device during the periods.

4. The network switch of claim 3 , wherein the first processor is configured to: compare the time of use pattern with a current date and time when the plurality of packets are received by the network switch; and determine whether an attack upon the network switch has occurred based on the comparison.

5. The network switch of claim 3 , wherein the first processor is configured to: compare the time of use pattern to (i) a period associated with transmitting the plurality of packets to the network switch, and (ii) an amount of data in the plurality of packets; and determine whether an attack upon the network switch has occurred based on the comparison.

6. The network switch of claim 2 , wherein: the memory is configured to store a second table; the second table comprises data describing traffic patterns of the plurality of packets; the first processor is configured to, in response to determining the subset of the plurality of packets are not associated with an attack, modify the second table based on the characteristics of the subset of the plurality of packets; and the first processor is configured to determine, based on contents of the second table, whether an attack upon the network switch has occurred.

7. The network switch of claim 6 , wherein: the characteristics of the subset of the plurality of packets comprise data rates of the plurality of packets, an amount of data in the plurality of packets, and times the plurality of packets are transmitted to the network switch; and the first processor is configured to determine whether an attack upon the network switch has occurred based on (i) the data rates, (ii) the amount of data, and (iii) the times.

8. The network switch of claim 6 , wherein: the second table comprises (i) a first identifier of a first switch interface of the network switch receiving the plurality of packets, and (ii) a second identifier of a switch interface of the network switch transmitting the plurality of packets; and the first processor is configured to determine whether an attack upon the network switch has occurred based on the first identifier matching the second identifier.

9. The network switch of claim 1 , wherein the sampling criteria comprises selecting the subset of the plurality of packets based on (i) destination addresses of the plurality of packets, and (ii) source addresses of the plurality of packets.

10. The network switch of claim 1 , wherein: the sampling criteria comprises selecting the subset of the plurality of packets based on (i) data rates of the plurality of packets, (ii) an amount of data in the plurality of packets, (iii) identifiers of network devices other than the network switch in paths of the plurality of packets, and (iv) a time when the plurality of packets is received at the network switch; and the classifier is configured to, when selecting the subset of the plurality of packets, select only packets belonging to data newly arrived at the network switch.

11. The network switch of claim 1 , wherein the sampling criteria comprises selecting the subset of the plurality of packets based on: destination addresses of the plurality of packets; source addresses of the plurality of packets; identifiers of switch interfaces of the network switch receiving the plurality of packets into the network switch; identifiers of switch interfaces of the network switch transmitting the plurality of packets from the network switch; data rates of the plurality of packets; an amount of data in the plurality of packets; identifiers of network devices other than the network switch in paths of the plurality of packets; and times of occurrence of the plurality of packets, wherein the classifier is configured to, when selecting the subset of the plurality of packets, select only packets belonging to data newly arrived at the network switch.

12. The network switch of claim 1 , further comprising switch interfaces, wherein: the first processor is configured to detect Internet protocol spoofing including determining whether a switch interface of the network switch receiving the plurality of packets from a network device over the network is used to send a packet to the network device; and the first processor is configured to detect the Internet protocol spoofing when the switch interface is not used to send a packet to the network device.

13. The network switch of claim 1 , wherein: the classifier is configured to select the subset of the plurality of packets according to contents of the plurality of packets and the sampling criteria; the sampling criteria comprises selecting the subset of the plurality of packets based on (i) data rates of the plurality of packets, (ii) an amount of data in the plurality of packets, and (iii) times the plurality of packets are transmitted to the network switch; and the first processor is configured to determine whether an attack upon the network switch has occurred based on (i) the data rates, (ii) the amount of data, and (iii) the times.

14. The network switch of claim 1 , wherein: the sampling criteria comprises selecting the subset of the plurality of packets based on (i) a first identifier of a first switch interface of the network switch receiving the plurality of packets, and (ii) a second identifier of a second switch interface of the network switch transmitting the plurality of packets; and the first processor is configured to determine whether an attack upon the network switch has occurred based on the first identifier matching the second identifier.

15. The network switch of claim 1 , wherein the classifier is configured to send the subset of the plurality of packets to the first processor regardless of whether the subset of the plurality of packets are associated with an attack.

16. The network switch of claim 1 , wherein the classifier is configured to select ones of the plurality of packets to generate the subset of the plurality of packets regardless of whether the subset of the plurality of packets are associated with an attack.

17. The network switch of claim 1 , wherein: the memory is configured to store a table describing the patterns of the plurality of packets through the network switch; the processor is configured to (i) modify the table based on the characteristics of the subset of the plurality of packets, and (ii) determine whether an attack upon the network switch has occurred based on contents of the table; and the table comprises destination addresses of plurality of packets, source addresses of plurality of packets, identifiers of switch interfaces of the network switch receiving the plurality of packets into the network switch, identifiers of switch interfaces of the network switch transmitting the plurality of packets from the network switch, data rates of the plurality of packets, an amount of data in the plurality of packets, identifiers of network devices other than network devices involved in transferring the plurality of packets to the network switch, and times the plurality of packets are transmitted to the network switch.

18. The network switch of claim 17 , wherein the characteristics of the subset of the plurality of packets comprise: data rates of the plurality of packets; an amount of data in the plurality of packets; and times the plurality of packets are transmitted to the network switch.

19. The network switch of claim 1 , further comprising: an alarm unit configured to indicate an attack in response to the first processor determining an attack upon the network switch has occurred; and a blocking unit configured to block packets of the plurality of packets related to the attack in response to the first processor determining an attack upon the network switch has occurred.

20. The network switch of claim 1 , wherein the patterns of the plurality of packets through the network switch comprise a time of use pattern.

21. The network switch of claim 20 , wherein the patterns of the plurality of packets through the network switch comprise an amount of use pattern.

22. A network switch comprising: a plurality of ports configured to receive a plurality of packets transmitted from a network to the network switch; a memory configured to store patterns of the plurality of packets through the network switch; a packet processor comprising a classifier, wherein the classifier is configured to select a subset of the plurality of packets according to sampling criteria, the selected subset of the plurality of packets includes selected ones of the plurality of packets, and the sampling criteria comprises selecting the subset of the plurality of packets based on (i) identifiers of switch interfaces of the network switch receiving the plurality of packets into the network switch, and (ii) identifiers of switch interfaces of the network switch transmitting the plurality of packets from the network switch; and a first processor separate from the packet processor, wherein the first processor is configured to (i) determine, based on the subset of the plurality of packets, whether the plurality of packets are associated with an attack on the network switch, and (ii) in response to determining the subset of the plurality of packets are not associated with an attack, update the patterns of the plurality of packets through the network switch based on characteristics of the subset of the plurality of packets, wherein the classifier is configured to, prior to the first processor determining whether the plurality of packets are associated with an attack, copy the subset of the plurality of packets to the first processor while maintaining the plurality of packets in the packet processor.